Cybersecurity

Ransomware Resurgence: Lockbit Dominates as Conti Offshoots Drive Sharp Increase in Cyberattacks

Photo of Lina Irawan Lina IrawanDecember 16, 2025
0 0 8 minutes read

Following a period of relative calm, the digital threat landscape has witnessed a significant resurgence in ransomware attacks, with new data revealing Lockbit as the most prolific group this summer. This uptick is largely attributed to the re-emergence of established ransomware-as-a-service (RaaS) operations, particularly those with roots in the now-fragmented Conti syndicate. The latest findings from the NCC Group’s monthly threat pulse indicate a substantial increase in successful campaigns, highlighting the persistent adaptability and resilience of cybercriminal enterprises.

Lockbit’s Ascendancy: A Dominant Force in Cyber Extortion

The data compiled by NCC Group, derived from actively monitoring the leak sites utilized by various ransomware groups and meticulously scraping victim details upon release, unequivocally identifies Lockbit as the paramount threat in July. The group, operating under its Lockbit 3.0 iteration, was responsible for a staggering 62 successful attacks during the month. This figure represents a notable increase of ten attacks compared to June and more than double the combined total of the second and third most active groups. Cybersecurity researchers have consistently underscored Lockbit 3.0’s formidable presence, emphasizing its sustained foothold as the most threatening ransomware group and a critical concern for organizations across all sectors. Its operational efficiency, sophisticated infrastructure, and expansive affiliate network contribute to its high volume of successful breaches, making awareness and robust defense mechanisms against its tactics paramount.

Lockbit’s rise to prominence has been a steady climb. Emerging initially as Lockbit 2.0 in mid-2021, the group quickly distinguished itself through its rapid encryption capabilities, aggressive negotiation tactics, and a highly professionalized RaaS model. This model allows core developers to lease their ransomware infrastructure to a vast network of affiliates, who then carry out the actual attacks, sharing a percentage of the ransom profits. Lockbit 3.0, also known as "Lockbit Black," introduced new features, including a bug bounty program to recruit security researchers and a unique token-based payment system, further cementing its reputation as an innovative and evolving threat. The sheer volume of its attacks in July underscores its expansive reach and its ability to consistently compromise diverse targets globally, from small businesses to large corporations and critical infrastructure providers.

The Shadow of Conti: A Strategic Disruption and Subsequent Re-emergence

Trailing Lockbit in July’s threat landscape are two groups with significant ties to the notorious Conti ransomware operation: Hiveleaks and BlackBasta. Hiveleaks recorded 27 attacks, while BlackBasta accounted for 24. These figures represent dramatic increases for both entities, with Hiveleaks experiencing a staggering 440 percent rise since June and BlackBasta seeing a 50 percent increase over the same period. The rapid escalation in activity from these groups strongly suggests an intimate connection between their rise and the broader resurgence in ransomware attacks observed recently.

To understand this phenomenon, one must revisit the turbulent events surrounding Conti earlier in the year. For an extended period, Conti had been arguably the world’s foremost ransomware gang, responsible for high-profile attacks against governmental entities, healthcare providers, and critical infrastructure globally. Its operational structure mirrored that of a legitimate tech company, with dedicated departments for development, human resources, and negotiation, all operating under a centralized command. However, May 2022 marked a pivotal moment in the fight against Russian cybercrime when the United States government escalated its efforts, offering a substantial reward of up to $15 million for actionable intelligence leading to the identification and prosecution of Conti co-conspirators. This unprecedented pressure, combined with internal leaks that exposed the group’s communications and operational details following Russia’s invasion of Ukraine, led to Conti’s ostensible dissolution.

Researchers at NCC Group speculate that this disruption forced a significant restructuring among the threat actors associated with Conti. "It is likely that the threat actors that were undergoing structural changes," the report authors stated, "and have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction." This analysis posits that while the Conti brand may have ceased formal operations, its underlying infrastructure, expertise, and, crucially, its network of affiliates did not simply vanish. Instead, they adapted, diversified, and re-emerged under new banners.

From Conti to Offshoots: The Emergence of Hiveleaks and BlackBasta

Hiveleaks and BlackBasta are identified as direct descendants of this restructuring. NCC Group researchers explicitly noted that both groups are "associated with Conti," with Hiveleaks operating as an affiliate and BlackBasta representing a replacement strain of the ransomware itself. This evolution highlights the inherent resilience of the RaaS model, where the core developers or key operatives can simply rebrand or launch new operations, often taking their established network of affiliates with them.

Hiveleaks, while potentially an older Conti affiliate that has now gained more autonomy and prominence, leverages similar tactics and targets. Its rapid ascent suggests a smooth transition for its operators and a ready-made victim pool. BlackBasta, on the other hand, is a newer strain that has quickly carved out a significant niche. Its ransomware capabilities are robust, and its operational security is tight, making it a formidable successor to parts of Conti’s legacy. The seamless transition of these elements back into the threat landscape, albeit under new identities, underscores the fluid nature of cybercrime and the challenges faced by law enforcement in permanently dismantling such sophisticated operations. The authors of the NCC Group report aptly conclude, "As such, it appears that it has not taken long for Conti’s presence to filter back into the threat landscape, albeit under a new identity."

The Broader Ransomware Resurgence: Numbers and Trends

The overall statistics for July reinforce the narrative of a rebounding ransomware threat. NCC Group counted 198 successful ransomware campaigns during the month, marking a substantial 47 percent increase compared to June. While this sharp incline is concerning, it is important to contextualize it against previous highs. The July figures still fall short of the peak observed in the spring, specifically March and April, when nearly 300 such campaigns were recorded each month. This fluctuation, or "flux" as the report terms it, is directly tied to the disruption and subsequent reorganization within the major ransomware syndicates, particularly Conti.

The ebb and flow of ransomware activity often mirrors significant geopolitical events or targeted law enforcement actions. The temporary dip following the US government’s heightened pressure on Conti demonstrated that focused efforts can indeed disrupt these groups. However, the subsequent bounce back, led by Lockbit and the Conti offshoots, illustrates the adaptive nature of cybercriminals. They do not disappear; they evolve, rebrand, and often emerge stronger or more distributed, making them harder to track and dismantle.

Beyond the specific groups, broader trends in ransomware continue to pose significant challenges. Double extortion, where threat actors not only encrypt data but also exfiltrate it and threaten to leak it if the ransom is not paid, remains a prevalent tactic. This adds immense pressure on victims, as data recovery alone is no longer sufficient to mitigate the damage. Supply chain attacks, targeting vulnerabilities in widely used software or services to compromise multiple organizations simultaneously, are also on the rise, demonstrating a strategic shift towards maximizing impact and efficiency for the attackers. Furthermore, critical infrastructure remains a high-value target, with attacks on healthcare, energy, and transportation sectors posing risks not just to businesses but to public safety and national security.

Understanding the Ransomware-as-a-Service (RaaS) Model and its Resilience

The enduring strength of the ransomware ecosystem, despite law enforcement efforts, can largely be attributed to the effectiveness and resilience of the RaaS model. This business model compartmentalizes the ransomware operation, allowing specialists to focus on their respective areas. Core developers create and maintain the ransomware code, infrastructure, and payment portals. Affiliates, often recruited through underground forums, are responsible for gaining initial access to target networks, deploying the ransomware, and negotiating with victims. The profits are then split, typically with developers taking 20-30% and affiliates keeping the rest.

This division of labor makes the RaaS model incredibly robust. If one component is disrupted (e.g., a group of affiliates is arrested), the core developers can simply recruit new ones. If the core group itself is targeted, its affiliates might simply switch to a different RaaS platform or even launch their own, using the experience and tools gained. This decentralized, adaptable structure allows groups like Conti to "dissolve" only to have its operational capabilities rapidly reconstituted under new names, demonstrating a hydra-like quality where cutting off one head often results in two more taking its place. The ease of entry for new affiliates, coupled with the lucrative potential, ensures a continuous supply of participants in this illicit economy.

Economic and Societal Impact of Ransomware

The economic toll of ransomware attacks is colossal and continues to escalate. Estimates from various cybersecurity firms and governmental bodies suggest that the global cost of ransomware could reach tens of billions of dollars annually, encompassing not only ransom payments but also the expenses associated with business interruption, data recovery, reputational damage, and investments in enhanced cybersecurity measures. Beyond financial losses, ransomware attacks have tangible societal impacts. Disruptions to healthcare systems can delay critical medical procedures, while attacks on essential services can compromise public safety and trust. The psychological toll on employees and executives dealing with the aftermath of a breach is also significant.

Governments worldwide are increasingly recognizing ransomware as a national security threat. The US government’s targeted actions against Conti, including the reward offer, reflect a broader strategy to disrupt the financial and operational lifelines of these criminal organizations. International cooperation, sharing intelligence, and coordinating law enforcement efforts are becoming vital components of this global fight, acknowledging that ransomware is a borderless crime.

Defensive Posture and Counter-Ransomware Efforts

In light of the ongoing ransomware resurgence, organizations are compelled to maintain and enhance their defensive postures. Industry experts consistently advocate for a multi-layered security strategy that includes:

  • Robust Backup and Recovery Systems: Regular, immutable backups stored offline are crucial for quick recovery without succumbing to ransom demands.
  • Multi-Factor Authentication (MFA): Implementing MFA across all systems significantly reduces the risk of unauthorized access, even if credentials are compromised.
  • Patch Management: Promptly applying security patches and updates to operating systems, applications, and network devices closes known vulnerabilities.
  • Employee Training: Educating employees about phishing, social engineering, and other common attack vectors remains a frontline defense.
  • Network Segmentation: Dividing networks into smaller, isolated segments can contain the spread of ransomware if a breach occurs.
  • Endpoint Detection and Response (EDR): Advanced EDR solutions can detect and respond to suspicious activities on endpoints before they escalate.
  • Incident Response Plan: Having a well-defined and regularly tested incident response plan is critical for minimizing downtime and damage.
  • Threat Intelligence: Staying updated on the latest tactics, techniques, and procedures (TTPs) of active ransomware groups like Lockbit, Hiveleaks, and BlackBasta allows for proactive defense.

Official responses from governments and international bodies continue to evolve. Beyond law enforcement actions, there is a growing emphasis on public-private partnerships to share threat intelligence and develop collective defense strategies. Sanctions against countries harboring ransomware groups and efforts to disrupt cryptocurrency laundering channels are also part of a broader, coordinated approach to make ransomware less profitable and more perilous for the perpetrators.

Looking Ahead: Predictions and Challenges

The current trajectory suggests that the ransomware threat is unlikely to diminish in the near future. As the NCC Group report authors speculated, now that Conti’s components have "properly split" and re-established themselves, "it would not be surprising to see these figures further increase as we move into August." The adaptability of these groups, coupled with the persistent availability of vulnerabilities and the lure of substantial profits, ensures that ransomware will remain a top cybersecurity concern.

The challenges for organizations and governments are multifaceted. They include staying ahead of rapidly evolving threat actors, addressing the skills gap in cybersecurity, fostering greater international cooperation, and developing effective legal and policy frameworks to deter and punish cybercriminals. For businesses, the imperative is clear: invest proactively in cybersecurity, prioritize resilience, and treat ransomware defense not as an IT issue, but as a fundamental business risk. The ongoing saga of Lockbit’s dominance and the re-emergence of Conti’s offshoots serve as a stark reminder of the dynamic and relentless nature of the cyber threat landscape.

Related posts:

Tags
Photo of Lina Irawan Lina IrawanDecember 16, 2025
0 0 8 minutes read
Photo of Lina Irawan

Lina Irawan

Related Articles

Over 80,000 Hikvision Cameras Remain Vulnerable to Critical, 11-Month-Old Flaw, Posing Widespread Security Risks.

January 8, 2026

Google Strengthens Android Privacy Policies and Intensifies Fight Against Malvertising with AI-Powered Defenses

January 5, 2026

Unmasking the Invisible Threat: How Unmanaged Non-Human Identities Drive the Majority of Cloud Breaches

November 20, 2025

NAKIVO v11.2: Ransomware Defense, Faster Replication, vSphere 9, and Proxmox VE 9.0 Support

October 29, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Tech Survey Info
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.